Vulnerabilities / Threats
10:13 AM
Connect Directly

Adobe Reader, Acrobat Under Attack

Cue the security fatigue: Zero-day attacks target Adobe Reader and Acrobat, Adobe pushes second Flash patch, Microsoft fixes 57 flaws.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Zero-day vulnerabilities in the most recent versions of Adobe Reader and Acrobat are being actively exploited by attackers, who are emailing malicious PDFs to targets to remotely compromise their PCs.

That warning comes from researchers at security firm FireEye, which said it's provided copies of the exploit code to Adobe. "A PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," according to a security warning posted Tuesday by FireEye. "Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain."

Adobe said it's investigating the alleged zero-day bugs. "Adobe is aware of a report of a vulnerability in Adobe Reader and Acrobat XI (11.0.1) and earlier versions being exploited in the wild," according to a brief Adobe vulnerability report released Tuesday. "We are currently investigating this report and assessing the risk to our customers. We will provide an update as soon as we have more information."

[ Can the government help with cybersecurity? Read White House Cybersecurity Executive Order: What It Means. ]

No additional details about the zero-day vulnerabilities have been publicly released, and it's not clear if the bugs allow attackers to bypass the sandbox built into Reader and Acrobat. But until the vulnerability gets patched, FireEye recommended that users avoid opening any PDF files of unknown origin.

Adobe Tuesday also patched known Flash Player vulnerabilities in Shockwave Player, Flash Player, and Adobe AIR, by releasing updates for Windows, Mac OS X, Linux and Android. That marked the second time in less than a week that Adobe, which normally only releases quarterly patch updates, released "out of band" patches to mitigate in-the-wild exploits of bugs in its products. In addition, Oracle still plans to release further patches on February 19.

In other words, 2013 is already turning out to be a banner year for bug spotting. For starters, new flaws recently surfaced not just in Flash and Adobe Reader and Acrobat, but also Internet Explorer and Java.

Microsoft Tuesday patched 57 vulnerabilities in its products, as part of its regularly scheduled, monthly patch release, and many of the bugs have been labeled as critical. "[The] critical vulnerabilities all potentially enable remote code execution, as does the SharePoint server related bulletin rated 'important' this month," said Kurt Baumgartner, a senior security researcher at Kaspersky Lab, in a blog post. "The other vulnerabilities enable elevation of privilege and denial of service attacks. Several of the vulnerabilities have been publicly disclosed, and at least one is known to be publicly exploited."

Many security experts are advising security managers to prioritize the Internet Explorer patch, which fixes 13 vulnerabilities -- privately reported to Microsoft and not yet detailed publicly -- which attackers could use to remotely exploit code on vulnerable machines. "Despite the bugs being privately disclosed, Microsoft is warning that exploitation in the wild is imminent," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. Indeed, expect attackers to be working overtime to reverse-engineer the patches, which would allow them to craft attacks that exploit Windows PCs that haven't been patched.

One critical Microsoft patch addresses flaws in the Windows media codec, which could be exploited by crafting a malicious media file. Another fix targets vulnerabilities in the RTF file format that could be exploited by crafting a malicious RTF file, which if opened in Microsoft Word or WordPad would allow an attacker to compromise the PC. "Microsoft warns that this is likely to be exploited in the wild within 30 days," said Ducklin.

While those vulnerabilities affect clients, another critical vulnerability exists on Microsoft Exchange servers with Oracle's Outside In technology. The vulnerabilities could be exploited by attackers to remotely compromise the server or create a denial of service.

Security researchers have also published further details of the bugs that were patched last week in Adobe's Flash Player. According to a blog post from Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov, the vulnerabilities (designated CVE-2013-0633) are being actively exploited by "so-called 'legal' surveillance malware created by the Italian company HackingTeam." The Italian company's surveillance software is called RCS (Remote Control System), aka DaVinci, and has been used "against human rights activists and political dissidents from Africa, South America and the Middle East," according to the researchers.

The Kaspersky Lab researchers said they cataloged six different ways that RCS has been installed on targets' computers, and four of them employ zero-day vulnerabilities. "Interestingly ... two of the 0-days appear to have been created by the French offensive security company Vupen," said the researchers. "The link was also previously pointed out by Citizen Lab's report, which says it's unclear if the exploits used with HackingTeam's malware have been purchased from Vupen, or just engineered in parallel."

Chaouki Bekrar, CEO and head of research for Vupen, dismissed as "defamatory allegations and unproven claims" the Kaspersky Lab suggestion that his company may have sold the zero-day vulnerabilities to HackingTeam. "We did not develop nor sell any of these exploits," Bekrar said via email. "In the vulnerability research field, it often happens that many unlinked researchers, groups or companies work on similar flaws or exploits without knowledge of the others, we call this vulnerability overlaps and it's very common and usual."

Note: Story updated to correct error in number of flaws fixed.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
2/13/2013 | 7:47:26 PM
re: Adobe Reader, Acrobat Under Attack
It will be interesting to see if there's a sandbox bypass here in this new exploit.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.